[Openid-specs-ab] Spec call notes 20-Dec-12

Mike Jones Michael.Jones at microsoft.com
Thu Dec 20 16:16:41 UTC 2012 

Spec call notes 20-Dec-12

Brian Campbell
John Bradley
Nat Sakimura
Justin Richer
Mike Jones
Tim Bray

Agenda:
               Inconsistency between user_id and prn
               Allowing multiple audiences
               "cid" claim
               Open Issues
               Editing
               WebFinger

Inconsistency between user_id and prn:
               No one objected to making them consistent
               People felt that subject is actually the better term than principal
                              It's parallel to SAML
                              Even JWT defines prn in terms of "subject"

Allowing multiple audiences:
               Our sense is that allowing "aud" to be either a string or an array of strings is OK and less invasive than always forcing it to be an array.
               Nat suggested that we also say that when there is no audience restriction we leave

Open Issues:
               There was 1 new open issue
               #689 JWT aud claim issues - about allowing multiple audiences

"cid" claim:
               The "cid" claim represents the party authorized to use the token
               There isn't a way for the audience to verify who the party was that presented the token
               John believes this is related to proof of possession
               Justin says that having this claim makes sense because there would be representations for all 4 OAuth parties
               Descriptions: Authorized user, registered user, authorized party ("azp"?)
               Or we may want an OAuth-specific claim, which could be "cid"
               Authorized presenter ("azp") seems like a more general form
               We could define this in Connect but not in JWT for the moment
                              We would need to define a processing rule when "azp" is received
                                             The client can ignore it but it is used by the resource

               The "cit" (Client Identification Data claim type) claim is more related to proof of possession, and can wait

Editing update:
               Mike is doing his JOSE/JWT edits first, then will do Connect
               John is working on applying his smaller edits first
               John said that IdP-initiated login is related to Account Chooser, audience validation
                              He will make another ticket about audience validation

WebFinger:
               Paul is almost ready to publish an updated HTTPS-only WebFinger draft
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20121220/9fc009a0/attachment.html>

More information about the Openid-specs-ab mailing list